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Description 

SECURE NETWORK SYSTEM AND 
ASSOCIATED METHOD OF USE 

Cross Reference to Related Applications 

[0001] This patent application claims priority to U.S. Provisional 

Patent Application Serial No. 60/481,380 filed September 

15, 2003. 
Background of Invention 

[0002] jhe need for providing security to computing systems has 
never been so critical as it is today. It is believed that tra- 
ditional system security methods are no longer sufficient 
since access and duplication methods may still be avail- 
able. Also, secure gateways for sending sensitive informa- 
tion between organizations may not be present. Security 
issues that need to be addressed include: limit access to 
system resources and data; provide controls regarding in- 
teractions with software programs, software file access, 
and utilities on a user-by-user basis; eliminate "super 
user" access by dividing super user functions into multiple 



roles to decrease security risks; provide an independent 
evaluation and auditing authority to the operating system 
to validate the security functions; prevent "eavesdropping" 
in the operating environment and provide a trusted path; 
prevent spoofing programs; and protect local devices 
against unauthorized users or use. 
[0003] Therefore, Common Criteria Certification, a globally ac- 
cepted standard for security certification for computer 
networks, was developed. This certification is upheld by 
an independent third party organization that performs se- 
curity evaluations. However, in order to maximize security 
when utilizing an untrusted computer network, e.g., 
global computer system such as, but not limited to, the 
Internet, to achieve Common Criteria Certification, re- 
quires a significant duplication of hardware, software, 
server compartments, vendors and software languages. 
This security need involves protection of content available 
from the untrusted computer network as well as provide a 
safe passage of the data from this untrusted system ac- 
cess to an organization's secure computing environment. 
This need is for any organization that transmits and re- 
ceives personal, confidential, proprietary and/or financial 
data. This applies to virtually every industry with particu- 



lar applicability to organizations that conduct financial 
transactions over an untrusted computer network such as 
the financial services industry. A financial transaction of 
special interest includes a credit card transaction. Other 
industries that could benefit from this type of security in- 
clude the government, e.g., military organizations, health- 
care and the airline industry. Control of inventory data is 
crucial to having a secure system. Moreover, there is a 
strong need to prevent the hacking and associated defac- 
ing of websites that are accessible to the public. 
[0004] jhe present invention is directed to overcoming one or 

more of the problems set forth above. 
Summary of Invention 

[0005] In one aspect of this invention, a network computer sys- 
tem for providing security is disclosed. This network com- 
puter system includes a monitoring function for the net- 
work computer system, at least one outside server for an 
untrusted network, e.g., a global computer system, 
wherein the monitoring function can read and execute 
data from the at least one outside server for the untrusted 
computer network, at least one proxy server, wherein the 
at least one outside server for the untrusted computer 
network is able to read and write data to the at least one 



proxy server, wherein the monitoring function can read 
and execute data from the at least one proxy server, at 
least one inside server, wherein the at least one proxy 
server is able to read and write data to the at least one in- 
side server, wherein the monitoring function can read and 
execute data from the at least one inside server, and a 
core operating system, wherein the at least one outside 
server, the at least one proxy server and the at least one 
inside server can read and execute data from the core op- 
erating system. 

[0006] In another aspect of this invention, a method for providing 
security to a network computer system is disclosed. The 
process includes reading and executing data from at least 
one outside server for an untrusted computer network, 
e.g., global computer system, with a monitoring function, 
reading and executing data from at least one proxy server 
for the untrusted computer network with the monitoring 
function, reading and writing data from the at least one 
outside server to the at least one proxy server, reading 
and executing data from at least one inside server for the 
untrusted computer network with the monitoring function, 
reading and writing data from the at least one proxy 
server to the at least one inside server, and reading and 



executing data from a core operating system, wliicli is a 
portion of an operating system, witli tlie at least one out- 
side server, tlie at least one proxy server and the at least 
one inside server. 
[0007] These are merely some of the innumerable aspects of the 
present invention and should not be deemed an all- 
inclusive listing of the innumerable aspects associated 
with the present invention. These and other aspects will 
become apparent to those skilled in the art in light of the 

following disclosure and accompanying drawings. 
Brief Description of Drawings 

[0008] For a better understanding of the present invention, refer- 
ence may be made to the accompanying drawing where 
FIG. 1 is a schematic of a secure network services inte- 
grated design in accordance with the present invention. 
Detailed Description 

[0009] In the following detailed description, numerous specific 

details are set forth in order to provide a thorough under- 
standing of the invention. However, it will be understood 
by those skilled in the art that the present invention may 
be practiced without these specific details. In other in- 
stances, well-known methods, procedures and compart- 



ments have not been described in detail so as to obscure 
the present invention. A server referred to in this Applica- 
tion can be a single processor or a whole series of proces- 
sors. An illustrative, but nonlimiting, example of just one 
type of server that may suffice is the Sun Fire 4800™ 
Server, sold by Sun Microsystems, Inc. having a place of 
business at 4150 Network Circle, Santa Clara, California 
95054. 

[0010] The method of communication for this Invention is 

through any untrusted computer network and preferably a 
global computer system, e.g., the Internet. However, there 
are numerous mechanisms for electronic communication 
that might suffice for this present invention. 

[0011] The purpose of the present invention is to provide a con- 
tinuous and safe operation of a website located on an un- 
trusted computer network. This is to provide maximum 
protection of the website while providing a safe passage 
of data into an organization's secure computing environ- 
ment. The preferred design, illustrated by the schematic 
of FIG. 1, includes a series of compartments and is gener- 
ally indicated by numeral 10. The compartments are 
preferably logical compartments for separate software 
functions but separate compartments of physical hard- 



ware can also be utilized to form the compartments. 
Moreover, compartments within this patent application do 
not specifically need to be a traditional logical compart- 
ment but can be a sensitivity label or a combination of 
logical compartments and sensitivity labels. Moreover, it 
can include any mechanism for identifying separate soft- 
ware functions. The preferred logical compartments can 
be collapsed and optimally housed within a unitary piece 
of hardware for an entire information technology enter- 
prise. The preferred operating system is one that is Com- 
mon Criteria Certified and is generally indicated by nu- 
meral 12. Illustrative, but nonlimiting, examples include 
TRUSTED SOLARIS™, licensed by Sun Microsystems, Inc. 
having a place of business at 4150 Network Circle, Santa 
Clara, California 95054. Another illustrative, but nonlimit- 
ing example includes WINDOWS® 2000™ licensed by Mi- 
crosoft, Inc. having a place of business at One Microsoft 
Way, Redmond, Washington 98052-6399. TRUSTED SO- 
LARIS™ is currently preferred over WINDOWS®2000™ since 
TRUSTED SOLARIS™ has received EAL4 LSPP Common Cri- 
teria Security Certification for an enterprise software ap- 
plication versus a stand-alone software application. 
[0012] The design of the secure network system of the present 



invention is based on a compartmental approach using 
the labeling features of a trusted operating system. The 
design is a top-down approach, with the least privileges 
allowed to the more vulnerable areas of the operating 
system. With a top-down approach, communication is 
limited, as described herein, and communication is only 
from upper compartments to immediately adjacent lower 
compartments. This downward communication is limited 
to the reading and execution of data, without writing. The 
only reading and writing of data is between immediately 
adjacent servers, as will be discussed in greater detail be- 
low. 

[0013] Referring now to FIG. 1, the first compartment provides 
system level auditing 14 and is labeled "high." Examples 
of system level auditing include syslog "system log proto- 
col" events produced by the operating system. Syslog 
events include a transport mechanism for sending event 
messages across an IP, i.e., Internet Protocol, network that 
specifies the format of packets (also called datagrams) 
and the addressing scheme. The receiving server is known 
as an "event message collector." System events may be 
sent at the start or end of a process or to transmit the 
current status of some condition or process in the operat- 



ing system or a software application. Tliese log messages 
are well protected and are not available to other compart- 
ments in the system. Although there are a number of sep- 
arate software programs that can perform this function, 
an illustrative, but nonlimiting, example of this type of 
system level auditing software includes TRUSTED SO- 
LARIS^"^, licensed by Sun Microsystems, Inc. having a place 
of business at 4150 Network Circle, Santa Clara, California 
95054. TRUSTED SOLARIS™ is considered a military-grade 
version of the UNIX® operating system, which is an oper- 
ating system registered by The Open Group, having a 
place of business at 44 Montgomery Street, Suite 960, San 
Francisco, California 94104-4704. Access to the TRUSTED 
SOLARIS™ system through the log-in function and pass- 
words by authorized users from within the enterprise and 
described in technical literature that is available from Sun 
Microsystems, Inc. 
[0014] There is an intrusion detection system that includes a sec- 
ond logical compartment and a third logical compartment 
indicated by numerals 20 and 28, respectively. A host- 
based intrusion detection system (HIDS software) uses 
misuse detection that analyzes the information it gathers 
and compares it to large databases of attack signatures. 



The HIDS software looks for a specific attaclc that has al- 
ready been documented. The HIDS software is only as 
good as the database of attack signatures that the HIDS 
software uses to make comparisons of packets. The HIDS 
software can also include anomaly detection, wherein the 
system administrator defines a baseline or normal state of 
the network's traffic load, breakdown, protocol, and typi- 
cal packet size. The anomaly detector monitors network 
segments to compare their state to the normal baseline 
and look for anomalies. The HIDS software can either be a 
passive system or a reactive system. In a passive system, 
the HIDS software detects a potential security breach, then 
logs the information and signals an alert. In a reactive 
system, the HIDS software responds to the suspicious ac- 
tivity by logging off a user or by blocking network traffic 
from the suspected malicious source. 
[0015] The second compartment 20 is where the HIDS software 
will actually operate. This HIDS software will monitor 
events real time as they occur on the operating system 
and is labeled "high." The first compartment 14, which is 
the system level auditing function, can read and execute 
data from the second compartment 20 having the HIDS 
software as indicated by the arrow identified by numeral 



16. 

[0016] The third compartment 28 is wliere the source code for 

the HIDS software resides and is labeled "low." The second 
compartment 20, the HIDS software labeled "high," allows 
the reading and execution of the source code software 
programs from the third compartment 28, the HIDS soft- 
ware labeled "low," but will not allow the modification or 
configuration of the software source code as indicated by 
the arrow identified by numeral 24. 

[0017] An illustrative, but nonlimiting, example of this type of 
the HIDS software for both the second compartment 20 
and the third compartment 28 includes Intruder Alert™, li- 
censed by Symantec Corporation and having a place of 
business at 20330 Stevens Creek Blvd, Cupertino, Califor- 
nia 95014. This illustrative, but nonlimiting, example 
software program is a host-based, real-time intrusion 
monitoring system that detects unauthorized activity and 
security breaches and responds automatically. If a threat 
is detected, it sounds an alarm or takes other counter- 
measures according to pre-established security policies in 
order to prevent information loss or theft. The adminis- 
trator(s) can create, update, and deploy policies and se- 
curely collect and archive audit logs for incident analysis. 



all while maintaining the availability and integrity of the 
secure network system 10. This example software enables 
the development of precautionary security policies that 
prevent hackers or authorized users with malicious intent 
from misusing the system 10, software applications 42 
and associated data. 

[0018] There is a system health monitoring tool that includes a 
fourth compartment and a fifth compartment indicated by 
numerals 21 and 23, respectively. A system health moni- 
toring tool involves centralized or distributed monitoring 
of server health and response time. The system health 
monitoring tool also provides automated root cause anal- 
ysis that can pinpoint the source of server problems, cor- 
rect formatted page response time problems by under- 
standing which elements are under-performing, validate 
the content delivery of dynamically formatted pages, and 
understand system usage with access log monitoring. 

[0019] The fourth compartment 21 is where the system health 

monitoring tool will actually operate and is labeled "high." 
The first compartment 14, which is the system level audit- 
ing function, can read and execute data from the fourth 
compartment 21 having the system health monitoring tool 
software as indicated by the arrow identified by numeral 



17. 

[0020] The fifth compartment 23 is where the source code soft- 
ware programs for system health monitoring tool resides 
and is labeled "low." The fourth compartment 21, system 
health monitoring tool labeled "high," allows the reading 
and execution of these source programs from the fifth 
compartment 23, which is the system health monitoring 
tool labeled "low" but will not allow the modification or 
configuration of the source code software programs as in- 
dicated by the arrow identified by numeral 19. 

[0021] An illustrative, but nonlimiting, example of this type of 
system health monitoring tool software for both the 
fourth compartment 21 and the fifth compartment 23 in- 
cludes: HP Open View"^"^, licensed by Hewlett-Packard 
Company and having a place of business at 3000 Hanover 
Street, Palo Alto, California 94304-1185; TIVOLI®, li- 
censed by IBM® North America having a place of business 
at 1133 Westchester Avenue, White Plains, New York 
10604; and BMC PATROL®, licensed by BMC Software, Inc., 
having a place of business at 2101 City West Blvd., Hous- 
ton, Texas 77042-2827. 

[0022] Some of the features from the above illustrative, but non- 
limiting, example software programs include the automa- 



tion of support functions such as providing parameters 
for monitoring tlie environment for tlie secure networl< 
system 10 and providing automatic recovery actions 
wliere appropriate, to liandle unattended actions. Admin- 
istrative functions performed by tiiis software can include 
canceling, deleting or resubmitting Jobs, reporting status 
of individual job completions, triggering a watchdog cycle, 
enabling or disabling service-level tracing for diagnostics, 
purging old status objects and viewing the details of all 
events for the secure network system 10. 
[0023] There is an integrity check system that includes a sixth 
compartment and a seventh compartment indicated by 
numerals 22 and 30, respectively. System integrity check- 
ing involves the quality of correctness, completeness, 
wholeness, soundness and compliance with the intention 
of the people who created the data. This is achieved by 
determining that there was no accidental or deliberate, 
but unauthorized, insertion, modification or destruction of 
data in the system 10. Data integrity is one of the six fun- 
damental compartments of information security, which in- 
clude: confidentiality; possession; integrity; authenticity; 
availability; and utility. The integrity check system 22 and 
30 will monitor changes to a baseline configuration of the 



operating system and other third party software. If a 
change is detected to a baseline configuration parameter, 
an alert can be generated to acknowledge the change. 

[0024] jhe sixth compartment 22 is where the integrity check 

system will actually operate and is labeled "high." The first 
compartment 14, which is the system level auditing func- 
tion, can read and execute data from the sixth compart- 
ment 22 having the integrity check software as indicated 
by the arrow identified by numeral 18. 

[0025] The seventh compartment 30 is where the source code 
software programs for the integrity check system resides 
and is labeled "low." The sixth compartment 22, integrity 
check system labeled "high," allows the reading and exe- 
cution of these source programs from the seventh com- 
partment 30, which is the integrity check system labeled 
"low" but will not allow the modification or configuration 
of the source programs as indicated by the arrow identi- 
fied by numeral 26. 

[0026] An illustrative, but nonlimiting, example of this type of 
the integrity check system software for both the sixth 
compartment 22 and the seventh compartment 30 in- 
cludes Enterprise Security Manager™, licensed by Syman- 
tec Corporation and having a place of business at 20330 



Stevens Creek Blvd, Cupertino, California 95014. Tiiis il- 
lustrative, but nonlimiting, example software program 
provides a comprehensive security policy compliance 
management of software applications and operating sys- 
tems across an enterprise. This example software pro- 
gram from a single location can manage the discovery of 
policy deviations and vulnerabilities and can quickly and 
cost-effectively create baselines and measure perfor- 
mance against those baselines to identify systems that are 
not in compliance and correct faulty settings to bring the 
secure network system 10 back into compliance. More- 
over, this example software program performs over 1,500 
checks, automatically assessing policy compliance and se- 
curity on servers, workstations, routers, hubs, applica- 
tions, and databases and is scalable. 
[0027] Collectively, the previously described system level audit- 
ing 14, intrusion detection system 20, 28, system health 
monitoring tool 21, 23 and the integrity check system 22, 
30 are referred to as "monitoring function" and are indi- 
cated by numeral 37. However, each one of these features 
alone or in combination can provide a "monitoring func- 
tion" as well as a number of other similar software fea- 
tures that monitor performance of the system or provide 



analysis to recognize potential or real security threats. Not 
all of these features are required. 

[0028] The compartmentalized secure network system of the 

present invention 10 obtains access to an untrusted com- 
puter network 36, which can include, but is not limited to, 
a global computer system or Internet, through an outside 
server indicated by an eighth compartment 44 and a ninth 
compartment 60. These servers are preferably, but not 
necessarily, "web servers." A web server is a program us- 
ing the client/server model and the preferably, but not 
necessarily, Hypertext Transfer Protocol (HTTP), to provide 
files that form formatted pages for users that make re- 
quests. Although the term "web" is utilized, the present 
invention is not restricted to the Internet 36 or the World- 
wide Web. The client/server model describes the relation- 
ship between two computer programs in which one pro- 
gram, the client, makes a service request from another 
program, the server, which fulfills the request. The client/ 
server model provides a convenient way to interconnect 
programs that are distributed efficiently across different 
locations within a network. 

[0029] The eighth compartment 44 is established to host the ex- 
ternal untrusted computer network, e.g., global computer 



system 36. This is tlie portion of the compartmental de- 
sign that faces the public from an untrusted source. From 
this region, all requests are received, processed, and then 
passed to other regions of the compartmentalized secure 
network system 10 for further processing. This eighth 
compartment 44 is where the outside server executes and 
is labeled "high." Preferably, but not necessarily, this 
server is a web server, which is a computer that delivers or 
serves up formatted, e.g., web pages. Every web server 
has an IP (Internet Protocol) address and possibly a do- 
main name. When a Uniform Resource Locator (URL) is en- 
tered in a web browser, this sends a request to the out- 
side server 44 with a matching domain name. The outside 
server 44 then fetches the page named "index.html" and 
sends it to the web browser. 
[0030] The third compartment for the intrusion detection system 
28 can read and execute data from the eighth compart- 
ment 44 where the outside server executes and is labeled 
"high" as indicated by the arrow identified by numeral 77. 
The fifth compartment for the system health monitoring 
tool 23 can read and execute data from the eighth com- 
partment 44 where the outside server executes and is la- 
beled "high," as indicated by the arrow identified by nu- 



meral 29. The seventh compartment for the integrity 
check system 30 can read and execute data from the 
eighth compartment 44 where the outside server executes 
and is labeled "high" as indicated by the arrow identified 
by numeral 27. 

[0031] This limited access to the compartment 44 where the out- 
side server executes and is labeled "high," as well as other 
compartments of the compartmentalized secure network 
system 10, prevents the graphics from the untrusted 
computer network, e.g., web pages, from being defaced 
due to the blocking of data from upper levels of compart- 
ments. No configuration changes are allowed in this 
eighth compartment 44. Configuration is the way a com- 
puter system is set-up, or the assortment of compart- 
ments that make-up the system. Configuration can refer 
to either hardware or software, or the combination of 
both. 

[0032] This eighth compartment 44, outside server labeled 

"high," can read and execute from the ninth compartment 
60, as indicated by the arrow identified as numeral 50, 
where the outside server is labeled "low." This ninth com- 
partment 60 is where the encryption binaries and config- 
urations source code files for the outside server reside. 



This is wliere configuration changes can be made to the 
outside server. 

[0033] A nonlimiting example of an outside server for both the 

eighth compartment 44 and the ninth compartment 60 in- 
cludes the Sun ONE™ web server, sold by Sun Microsys- 
tems, Inc. having a place of business at 4150 Network 
Circle, Santa Clara, California 95054. 

[0034] Adjacent to the eighth compartment 44 and ninth com- 
partment 60 is a proxy server indicated by a tenth com- 
partment 46 and an eleventh compartment 62. In typical 
applications, a proxy server is a server that sits between 
an outside server and system software applications. A 
proxy server intercepts all requests from the outside 
server 44 and 60 to see if it can fulfill the requests itself. 
If not, it forwards the request to an inside server 48 and 
64, described hereinafter below. There are two main pur- 
poses for a proxy server. The first is to drastically improve 
performance for groups of users by saving the results of 
all requests for a certain amount of time. The proxy server 
can provide the same requested formatted, e.g., web, 
page itself rather than procure the web page from the 
outside server, which can save considerable time. The 
second primary function of the proxy server is to filter re- 



quests. This can include preventing access to objection- 
able websites. This can include detecting binary string 
size against a predetermined threshold, perform buffer 
checks, and determine if there are file extension requests, 
among other potential checks, to evaluate the request. 

[0035] The tenth compartment 46 is where a proxy server resides 
to filter requests received from the outside server 44 that 
is labeled "high." At this tenth compartment 46, additional 
screening is performed on the incoming request such as a 
hypertext protocol request buffer checks, and file exten- 
sion requests, which are validated for legitimacy, prior to 
allowing any further processing of the request. This tenth 
compartment 46 can read and execute from the eleventh 
compartment 62 for the proxy server that is labeled "low." 

[0036] An illustrative, but nonlimiting, example of a proxy server 
that can function for both the tenth compartment 46 and 
the eleventh compartment 62 includes the Sun ONE^"^ 
proxy server sold by Sun Microsystems, Inc. having a place 
of business at 4150 Network Circle, Santa Clara, California 
95054. 

[0037] The third compartment for the intrusion detection system 
28 can read and execute data from the tenth compart- 
ment 46 where the outside server executes and is labeled 



"high" as indicated by the arrow identified by numeral 31. 
The fifth compartment for the system health monitoring 
tool 23 can read and execute data from the tenth com- 
partment 46 where the outside server executes and is la- 
beled "high" as indicated by the arrow identified by nu- 
meral 73. The seventh compartment for the integrity 
check system 30 can read and execute data from the 
tenth compartment 46 where the outside server executes 
and is labeled "high" as indicated by the arrow identified 
by numeral 79. 

[0038] jhe eighth compartment 44 for the outside server labeled 
"high" can read and write to the tenth compartment 46 
where the proxy server resides that is labeled "high" as 
indicated by the arrow identified by numeral 52. This 
eleventh compartment 62 is where the source programs 
for the proxy server resides as well as the location where 
configuration changes can be made to the proxy server. 
This tenth compartment 46, proxy server labeled "high" 
can read and execute from the eleventh compartment 62, 
as indicated by the arrow identified as numeral 74, where 
the proxy server is labeled "low," which is where the bina- 
ries and configurations source code files for the proxy 
server reside. This is also where configuration changes 



can be made to the proxy server. Configuration is tlie way 
a computer system is set-up, or tlie assortment of com- 
partments that make up the system. Configuration can re- 
fer to either hardware or software, or the combination of 
both. 

[0039] Adjacent to the tenth compartment 46 and the eleventh 
compartment 62 is an inside server indicated by a twelfth 
compartment 48 and a thirteenth compartment 64. An in- 
side server is the secure portion of the compartmental de- 
sign of the secure network system 10. From this region, 
all requests received from the untrusted source or com- 
puter system, e.g., public facing Internet 36, through the 
outside server 44 and 66, have been screened and 
deemed valid for enterprise processing within the secure 
network system 10. The read/write function from the 
proxy server 46 that is labeled "high" to the inside server 
that is labeled "high" is indicated by the arrow identified 
by numeral 56. No configuration changes are allowed 
within this twelfth compartment 48 for the inside server. 

[0040] A nonlimiting example of an inside server for both the 

twelfth compartment 48 and the thirteenth compartment 
64 includes the Sun ONE™ web server, sold by Sun Mi- 
crosystems, Inc. having a place of business at 4150 Net- 



work Circle, Santa Clara, California 95054. 

[0041] The connectivity to the enterprise application logic for the 
secure application processing 42 resides within this 
twelfth compartment 48 through the read/write function 
that is indicated by the arrow having the numeral 58. This 
provides connection to at least one secure software appli- 
cation for the enterprise. 

[0042] For the inside server, the twelfth compartment 48 reads 
data and executes from the thirteenth compartment 64, 
wherein the thirteenth compartment 64 is the place where 
the binaries and configuration files reside. No configura- 
tion changes are allowed within the thirteenth compart- 
ment 64. The capability for the twelfth compartment 48 to 
read data from the thirteenth compartment 64 is indicated 
by the arrow identified by numeral 54. The thirteenth 
compartment 64 is where the source programs for the in- 
side server resides as well as the location where configu- 
ration changes can be made to the inside server. 

[0043] The third compartment for the intrusion detection system 
28 can read and execute data from the twelfth compart- 
ment 48 where the outside server executes and is labeled 
"high" as indicated by the arrow identified by numeral 25. 
The fifth compartment for the system health monitoring 



tool 23 can read and execute data from the twelfth com- 
partment 48 where the outside server executes and is la- 
beled "high" as indicated by the arrow identified by nu- 
meral 75. The seventh compartment for the integrity 
check system 30 can read and execute data from the 
twelfth compartment 48 where the outside server exe- 
cutes and is labeled "high" as indicated by the arrow iden- 
tified by numeral 34. 
[0044] The fourteenth compartment 66 is the core operating sys- 
tem. The core operating system is a master control pro- 
gram that runs the secure network system 10. The oper- 
ating system sets the standards for all application pro- 
grams that run in the computer. All of the software appli- 
cations in the system communicate with an operating sys- 
tem for all user interface and file management operations. 
Moreover, the operating system oversees the following 
functions: user interface; job management; task manage- 
ment; data management; device management for periph- 
erals; security to keep unauthorized users out of the sys- 
tem; and backup and recovery functions. The core operat- 
ing system in the fourteenth compartment 66 allows the 
ninth compartment 60, which is the outside server labeled 
"low" that has the encryption binaries and configuration 



files for the outside server read and execute source pro- 
grams from this fourteenth compartment 66 as indicated 
by the arrow identified by numeral 68, but cannot change 
any configuration settings within the core operating sys- 
tem. Moreover, the core operating system in the four- 
teenth compartment 66 allows the eleventh compartment 
62, which is the proxy server labeled "low" that has the 
binaries and configuration files for the proxy server read 
and execute source programs from this fourteenth com- 
partment 66 as indicated by the arrow identified by nu- 
meral 70, but cannot change any configuration settings 
within the core operating system. In addition, the core op- 
erating system in the fourteenth compartment 66 allows 
the thirteenth compartment 64, which is the inside server 
labeled "low" that has the binaries and configuration files 
for the inside server, read and execute source programs 
from this fourteenth compartment 66 as indicated by the 
arrow identified by numeral 72, but cannot change any 
configuration settings within the core operating system. 
[0045] Events generated from external devices such as network- 
ing compartments can forward the previously described 
syslog activities with a read/write function 38 through the 
eighth compartment 44, which is where the outside server 



executes that is labeled "high," then through the tenth 
compartment 46, which is where the proxy server exe- 
cutes and filters HTTP requests based on a configurable 
parameter, then through the twelfth compartment 48, 
which is where the inside server executes that is labeled 
"high" and then into the host-based intrusion detection 
systems indicated by numeral 40. However, it is possible 
to directly affect or shut down the at least one software 
application 42. 

[0046] Therefore, this secure network system 10 provides pro- 
tection of content with an untrusted access, e.g., public 
site, available from the untrusted network, e.g., global 
computer system such as, but not limited to, the Internet, 
as well as provide safe passage of the data from this pub- 
lic site to an organization's secure computing environ- 
ment. This provides a significant advantage for any orga- 
nization that transmits and receives personal, confiden- 
tial, proprietary and/or financial data. This secure network 
system 10 is applicable to virtually every industry with 
particular applicability to organizations that conduct fi- 
nancial transactions over a global computer system, e.g., 
the Internet, such as the financial services industry, as 
well as inventory control. Moreover, this secure network 



system 10 is particularly beneficial for credit card transac- 
tions. Other industries that could benefit from the secure 
network system include the government, e.g., military or- 
ganizations, healthcare and the airline industry. Moreover, 
a particular benefit to the secure network system 10 is the 
prevention of hacking and associated defacing of websites 
that are accessible to the public. By using logical com- 
partments or sensitivity labels or a combination of both, 
this entire secure network system 10 can be reduced or 
collapsed to a single processor for a significant reduction 
of cost for an enterprise that has Common Criteria Certifi- 
cation. Moreover, the present invention can work in sys- 
tems that have compartments that use either WINDOWS® 
and/or UNIX® or a combination of both operating sys- 
tems. An additional benefit of using logical compartments 
or sensitivity labels or a combination of both is that it 
provides for an ability to draw hackers or other unethical 
individuals into the secure network system 10 to obtain 
additional forensic information to predict trends that can 
be helpful in preventing attacks and providing reliable ev- 
idence to the appropriate authorities in law enforcement. 
[0047] The number of logical compartments or sensitivity labels 
can vary tremendously and should not necessarily be lim- 



ited to one of each type. This is especially true for the 
number of outside servers 44 and 60, proxy servers 46 
and 62, and inside servers 48 and 64 wherein there are 
situations where it may be particularly advantageous to 
have more than one of each type of server or other type of 
logical compartment and/or sensitivity label. 
[0048] Although the preferred embodiment of the present inven- 
tion and the method of using the same has been de- 
scribed in the foregoing specification with considerable 
details, it is to be understood that modifications may be 
made to the invention which do not exceed the scope of 
the appended claims and modified forms of the present 
invention incorporated by others skilled in the art to 
which the invention pertains will be considered infringe- 
ments of this invention when those modified forms fall 
within the claimed scope of this invention. 



